A major cyber attack is currently underway aimed squarely at computer networks belonging to US natural gas pipeline companies, according to alerts issued to the industry by the US Department of Homeland Security.

At least three confidential “amber” alerts – the second most sensitive next to “red” – were issued by DHS beginning March 29, all warning of a “gas pipeline sector cyber intrusion campaign” against multiple pipeline companies. But the wave of cyber attacks, which apparently began four months ago – and may also affect Canadian natural gas pipeline companies – is continuing.

That fact was reaffirmed late Friday in a public, albeit less detailed, “incident response” report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an arm of DHS based in Idaho Falls. It reiterated warnings in the earlier confidential alerts made directly to pipeline companies and some power companies.

During the House of Representatives so-called Cyber Week there was disagreement regarding the nature of the cyber threat. Following is a recent Richard Clark quote differentiating an acute threat from a chronic threat:

People keep asking, well, do we have to have a cyber Pearl Harbor in order for people to do the right thing? Implicit in that question is sort of a hope that that will happen and then maybe we’ll fix everything. I don’t know that there ever will be a cyber Pearl Harbor. What I do know is that we’re suffering the death of a thousand cuts in the little Pearl Harbors that are happening every day, where cyberespionage and cybercrime are having a huge cumulative and negative effect. The theft of research and development information, the theft of intellectual property, the theft even of transactional data is giving huge economic advantage to our competitive opponents in other countries. If we all sit around waiting for the apocalypse to do something appropriate on cybersecurity, it may never happen and we may never solve the problem.

… it was the report’s findings about cybersecurity that appeared to be the most troubling, and they continued a drumbeat from the Obama administration about the need for Congress to pass legislation giving the Department of Homeland Security the authority to regulate computer security for the country’s infrastructure.

The report said that cybersecurity “was the single core capability where states had made the least amount of overall progress” and that only 42 percent of state and local officials believed that theirs was adequate.

I hope HLSWatch readers will take the time to read the NPR. I would welcome your comments, concerns, or more here. How should we read it? What are the major take-aways? What are the major questions raised? What should we do with it? What can we do with it? If there is a delta between should and can, what does that tell us?

The NPR despite being labeled a FEMA report and FEMA was charged by statute in PKEMRA 2006 with its annual preparation by its own terms it was fully coordinated. One of its defects highlighted by this supplemental post is that FEMA IMO has no role informal or formal over cyber security issues which remained behind when certain functions of the Preparedness Directorate headed then by George Foresman were left behind when the “new” FEMA was formed. The annual preparedness report would have been a better contribution if it had used metrics rather than FEMA’s normal dodgy language of “substantial progress” or some related terminology and had specifically indicated what part of FEMA, DHS or other government components were responsible for upgrading preparedness in the USA.